Technology
Data Privacy & Security
The Board of Regents adopted Part 121 of the Regulations of the Commissioner of Education on January 13, 2020. These rules will implement Education Law Section 2-d and provide guidance to educational agencies and their third-party contractors on ways to strengthen data privacy and security to protect student data and annual professional performance review data. It will apply to both charter and traditional public schools. The Regulations were overseen by the Department’s Chief Privacy Officer, Temitope Akinyemi.
These Regulations govern the use of student Personally Identifiable Information (PII) in regards to third-party software vendors and platforms. All third-party contractors who collect and store student PII need to have a signed copy of the West Valley Central School District Parent’s Bill of Rights, in addition to a Supplemental Information Addendum that states publicly why they collect student PII, how it is stored and used, what happens to the collected data upon end of contract terms, and how data will be protected and encrypted. These forms will be posted on the West Valley Central School website for viewing at any time.
For questions, concerns, or communication, please contact:
Donovan Bielecki
West Valley Central School Data Privacy Officer
DPO@wvalley.org
- Data Privacy & Security Policy
- Glossary of Terms
- Parent Bill of Rights
- Parents Fact Sheet
- Parent FAQs
- Reporting a Student Data Breach
- FERPA (Family Educational Rights and Privacy Act)
- Vendor Agreements
Data Privacy & Security Policy
Statement of Policy 5676 - Privacy and Security For Student Data and Teacher and Principal Data/Parents Bill of Rights for Data Privacy and Security
The NYSSB/NYSSD are committed to maintaining the privacy and security of student data and teacher and administrator data and will follow all applicable laws and regulations for the handling and storage of this data in the NYSSB/NYSSD and when disclosing or releasing it to others, including, but not limited to, third-party contractors. The NYSSB/NYSSD adopts this policy to implement the requirements of Education Law Section 2-d and its implementing regulations, as well as to align the NYSSB/NYSSD's data privacy and security practices with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (Version 1.1). With regard to personnel and business practices, this procedure is intended to supplement current policy/procedures regarding PII.
Privacy And Security Policy for Student Data and Teacher and Principal Data
Glossary of Terms
Education Law Section 2-D Definitions
“Educational agency” means a school district, board of cooperative educational services, school, or the education department.
“Personally identifiable information,” as applied to student data, means personally identifiable information as defined in section 99.3 of title thirty-four of the code of federal regulations implementing the family educational rights and privacy act, section twelve hundred thirty-two-g of title twenty of the United States code, and, as applied to teacher or principal data, means “personally identifying information” as such term is used in subdivision ten of section three thousand twelve-c of this chapter.
“School” means any public elementary or secondary school, universal pre-kindergarten program authorized pursuant to section thirty-six hundred two-e of this chapter, an approved provider of preschool special education, any other publicly funded pre-kindergarten program, a school serving children in a special act school district as defined in section four thousand one of this chapter, an approved private school for the education of students with disabilities, a state-supported school subject to the provisions of article eighty-five of this chapter, or a state-operated school subject to the provisions of article eighty-seven or eight-eight 1 of this chapter.
“Student” means any person attending or seeking to enroll in an educational agency.
“Eligible student” means a student eighteen years or older.
“Parent” means a parent, legal guardian, or person in parental relation to a student.
“Student data” means personally identifiable information from student records of an educational agency.
“Teacher or principal data” means personally identifiable information from the records of an educational agency relating to the annual professional performance reviews of classroom teachers or principals that is confidential and not subject to release under the provisions of section three thousand twelve-c of this chapter.
“Third party contractor” shall mean any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs. Such term shall include an educational partnership organization that receives student and/or teacher or principal data from a school district to carry out its responsibilities pursuant to section two hundred eleven-e of this title and is not an educational agency as defined in paragraph c of this subdivision, and a not-for-profit corporation or other non-profit organization, other than an educational agency.
Parent Bill of Rights
The West Valley Central School District is committed to protecting the privacy and security of student, teacher, and principal data. In accordance with New York Education Law § 2-d, the District wishes to inform the school community of the following:
- A student's personally identifiable information cannot be sold or released for any commercial purposes.
- Parents have the right to inspect and review the complete contents of their child’s education record.
- State and federal laws protect the confidentiality of personally identifiable information, and safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection, must be in place when data is stored or transferred.
- A complete list of all student data elements collected by the State is available for public review at: https://www.nysed.gov/data-privacy-security/student-data-inventory or by writing to the Office of Information & Reporting Services, New York State Education Department, Room 863 EBA, 89 Washington Avenue, Albany, New York 12234.
APPENDIX
Supplemental Information Regarding Third-Party Contractors
In the course of complying with its obligations under the law and providing educational services to District residents, the West Valley Central School District has entered into agreements with certain third-party contractors. Pursuant to such agreements, third-party contractors may have access to "student data" and/or "teacher or principal data," as those terms are defined by law.
Each contract the District enters into with a third-party contractor where the third party contractor receives student data or teacher or principal data will include the following information:
- The exclusive purposes for which the student data or teacher or principal data will be used;
- How the third-party contractor will ensure that the subcontractors, persons or entities that the third party contractor will share the student data or teacher or principal data with, if any, will abide by data protection and security requirements;
- When the agreement expires and what happens to the student data or teacher or principal data upon expiration of the agreement;
- If and how a parent, student, eligible student, teacher or principal may challenge the accuracy of the student data or teacher or principal data that is collected; and
- Where the student data or teacher or principal data will be stored (described in such a manner as to protect data security), and the security protections taken to ensure such data will be protected, including whether such data will be encrypted.
Parents Fact Sheet
Parent FAQs
Frequently Asked Questions About Data Privacy and Security
Can companies that provide services to my school under contract (third party contractors) buy my information or use it for their marketing purposes?
No. Your personally identifiable information (PII) cannot be sold by a contractor or used for marketing purposes.
Must I be notified if there is an unauthorized disclosure of my personally identifiable information?
Yes. The school must notify the parent or eligible student of the unauthorized release of student data in the most expedient way possible and without unreasonable delay. This applies to cases of an unauthorized release of teacher or principal personally identifiable information data as well. Each affected teacher or principal must be notified.
What other laws protect my student’s data?
In addition to New York’s Education Law Section 2-d, there are federal laws that are designed to protect student data and prohibit any misuse. The Family Educational Rights and Privacy Act (FERPA) is the foundational federal law on the privacy of students’ educational records. It was enacted in 1974 and applies to schools that receive federal funding, which are most public schools and some, but not all, private schools. FERPA safeguards student privacy by limiting who may access student records, specifying for what purpose they may access those records, and detailing what rules they have to follow when accessing the data. FERPA also includes provisions that guarantee a parent’s right to access, review and request the correction of their child’s educational record. For additional information about FERPA and other federal laws, please visit our page, Federal Laws that Protect Student Data. Other applicable laws are the Protection of Pupil Rights Amendment (PPRA) which defines the rules states and school districts must follow when administering tools like surveys, analysis, and evaluations funded by the US Department of Education to students, and the Children’s Online Privacy Protection Rule (COPPA) which imposes certain requirements on operators of websites, games, mobile apps or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age.
How will contracted service providers be held accountable for maintaining the confidentiality of the student data they receive?
Educational agencies that contract with third parties who will receive student PII must enter into contracts with such third parties which include certain conditions outlined in the law such as the inclusion of a data security and privacy plan, the parents bill of rights and minimum technical security standards to protect student PII. The Chief Privacy Officer is also authorized by the law to impose civil penalties.
What are the essential parents’ rights under the Family Educational Rights and Privacy Act (FERPA) relating to personally identifiable information in their child’s student records?
The rights of parents under FERPA are summarized in the Model Notification of Rights prepared by the United States Department of Education for use by schools in providing annual notification of rights to parents.
Parents’ rights under FERPA include:
- The right to inspect and review the student’s education records within 45 days after the day the school or school district receives a request for access.
- The right to request amendment of the student’s education records that the parent or eligible student believes are inaccurate, misleading, or otherwise in violation of the student’s privacy rights under FERPA. Complete student records are maintained by schools and school districts and not at NYSED, therefore, NYSED cannot make amendments to school or school district records. Schools and school districts are best positioned to make corrections to students’ education records.
- The right to provide written consent before the school discloses personally identifiable information (PII) from the student’s education records, except to the extent that FERPA authorizes disclosure without consent (including but not limited to disclosure under specified conditions to: (i) school officials within the school or school district with legitimate educational interests; (ii) officials of another school for purposes of enrollment or transfer; (iii) third party contractors providing services to, or performing functions for an educational agency; (iv) authorized representatives of the U. S. Comptroller General, the U. S. Attorney General, the U.S. Secretary of Education, or State and local educational authorities, such as NYSED; (v) organizations conducting studies for or on behalf of educational agencies) and (vi) the public where the school or school district has designated certain student data as “directory information” (described below). The FERPA Model Notification of Rights more fully describes the exceptions to the consent requirement under FERPA).
- Where a school or school district has a policy of releasing “directory information” from student records, the parent has a right to refuse to let the school or school district designate any of such information as directory information. Directory information, as defined in federal regulations, includes: the student’s name, address, telephone number, email address, photograph, date and place of birth, major field of study, grade level, enrollment status, dates of attendance, participation in officially recognized activities and sports, weight and height of members of athletic teams, degrees, honors and awards received and the most recent educational agency or institution attended. Where disclosure without consent is otherwise authorized under FERPA, however, a parent’s refusal to permit disclosure of directory information does not prevent disclosure pursuant to such separate authorization.
- The right to file a complaint with the U.S. Department of Education concerning alleged failures by the School to comply with the requirements of FERPA.
What “educational agencies” are included in the requirements of Education Law §2-d?
- The New York State Education Department (“NYSED”);
- Each public school district;
- Each Board of Cooperative Educational Services or BOCES; and
- All schools that are:
- a public elementary or secondary school;
- universal pre-kindergarten program authorized pursuant to Education Law §3602-e;
- an approved provider of preschool special education services; o any other publicly funded pre-kindergarten program;
- a school serving children in a special act school district as defined in Education Law 4001; or
- certain schools for the education of students with disabilities – an approved private school, a state-supported school subject to the provisions of Education Law Article 85, or a state-operated school subject to Education Law Article 87 or 88.
What kind of student data is subject to the confidentiality and security requirements of Education Law §2-d?
The law applies to personally identifiable information contained in student records of an educational agency listed above. The term “student” refers to any person attending or seeking to enroll in an educational agency, and the term “personally identifiable information” (“PII”) uses the definition provided in FERPA. Under FERPA, personally identifiable information or PII includes, but is not limited to:
- The student’s name;
- The name of the student’s parent or other family members;
- The address of the student or student’s family;
- A personal identifier, such as the student’s social security number, student number, or biometric record;
- Other indirect identifiers, such as the student’s date of birth, place of birth, and Mother’s Maiden Name;
- Other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or
- Information requested by a person who the educational agency or institution reasonably believes knows the identity of the student to whom the education record relates.
What kind of student data is not subject to the confidentiality and security requirements of Education Law §2-d?
The confidentiality and privacy provisions of Education Law §2-d and FERPA extend only to PII, and not to student data that is not personally identifiable. Therefore, de-identified data (e.g., data regarding students that uses random identifiers), aggregated data (e.g., data reported at the school district level) or anonymized data that could not be used to identify a particular student is not considered to be PII and is not within the purview of Education Law §2-d.
What protections are required to be in place if an educational agency contracts with a third-party contractor to provide services, and the contract requires the disclosure of PII to the third party contractor?
Education Law §2-d provides very specific protections for contracts with “third party contractors”, defined as any person or entity, other than an educational agency, that receives student data or teacher or principal data from an educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency. The term “third party contractor” also includes an educational partnership organization that receives student and/or teacher or principal APPR data from a school district to carry out its responsibilities pursuant to Education Law §211-e, and a not-for-profit corporation or other non-profit organization, which are not themselves covered by the definition of an “educational agency.”
Services of a third-party contractor covered under Education Law §2-d include, but not limited to, data management or storage services, conducting studies for or on behalf of the educational agency, or audit or evaluation of publicly funded programs.
When an educational agency enters into a contract with a third-party contractor, under which the third-party contractor will receive student data, the contract or agreement must include a data security and privacy plan that outlines how all state, federal, and local data security and privacy contract requirements will be implemented over the life of the contract, consistent with the educational agency’s policy on data security and privacy. However, the standards for an educational agency’s policy on data security and privacy must be prescribed in Regulations of the Commissioner that have not yet been promulgated. A signed copy of the Parents’ Bill of Rights must be included, as well as a requirement that any officers or employees of the third-party contractor and its assignees who have access to student data or teacher or principal data have received or will receive training on the federal and state law governing confidentiality of such data prior to receiving access.
Each third party contractor that enters into a contract or other written agreement with an educational agency under which the third party contractor will receive student data or teacher or principal data must also comply with additional requirements outlined in Education Law §2-d such as limiting internal access to education records to those individuals that are determined to have legitimate educational interests, not using the education records for any other purposes than those explicitly authorized in its contract; not disclosing any PII to any other party that is not an authorized representative of the third party contractor to the extent they are carrying out the contract (i) without the prior written consent of the parent or eligible student; or (ii) unless required by statute or court order and the party provides a notice of the disclosure to NYSED, district board of education, or institution that provided the information no later than the time the information is disclosed, unless providing notice of the disclosure is expressly prohibited by the statute or court order; maintaining reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of PII in its custody; and using encryption technology to protect data while in motion or in its custody from unauthorized disclosure.
What steps can and must be taken in the event of a breach of confidentiality or security?
NYSED’s Chief Privacy Officer is authorized to investigate, visit, examine and inspect the third-party contractor’s facilities and records and obtain documentation from, or require the testimony of, any party relating to the alleged improper disclosure of student data or teacher or principal APPR data. Where there is a breach and unauthorized release of PII by a third-party contractor or its assignees, the third-party contractor must notify NYSED of the breach in the most expedient way possible and without unreasonable delay. NYSED must then notify the parents in the most expedient way possible and without unreasonable delay. The law also authorizes the Chief Privacy Officer to impose certain penalties such as a monetary fine; mandatory training regarding federal and state law governing the confidentiality of student data, or teacher or principal APPR data; and preclusion from accessing any student data, or teacher or principal APPR data, from an educational agency for a fixed period up to five years.
Reporting a Student Data Breach
Parents have the right to submit complaints about possible breaches of student data. Complaints may be submitted online or in writing to either West Valley CSD or the NYS Education Department.
- Submitting data breaches to West Valley Central School
- Report a data breach online
- Mail: West Valley Central School District, Data Privacy Officer, 5359 School Street, West Valley, New York 14171.
- Submitting data breaches to the New York State Education Department
- Report a data breach online
- Mail: Chief Privacy Officer, New York State Education Department, 89 Washington Avenue, Albany, New York 12234.
FERPA (Family Educational Rights and Privacy Act)
Notification of Rights Under the Family Educational Rights and Privacy Act (FERPA)
FERPA is a federal law designed to protect the privacy of student records. The law gives parents and students over 18 years of age (referred to in the law as “eligible students”) the following rights:
- The right to inspect and review the student’s education records within 45 days of the day the District receives a request for access. Parents or eligible students should submit to the Building Principal a written request that identifies the records they wish to inspect. The Principal will make arrangements for access and notify the parents or eligible student of the time and place where the records may be inspected.
- The right to request the amendment of the student’s education records that the parent or eligible student believes are inaccurate or misleading. Parents or eligible students may ask the District to amend a record that they believe is inaccurate or misleading by writing the Principal, clearly identifying the part of the record they want changed and specifying why it is inaccurate or misleading. If the District decides not to amend the record as requested by the parent or eligible student, the District will notify the parent or eligible student of the decision and advise them of their rights to a hearing regarding the request for amendment. Additional information regarding the hearing procedures will be provided to the parent or eligible student when notified of the right to a hearing.
- The right to consent to disclosures of personally identifiable information contained in the student’s education records, except to the extent that FERPA authorizes disclosure without consent. One exception which permits disclosure without consent is disclosure to school officials with legitimate educational interests. A school official is a person employed by the District as an administrator, supervisor, instructor, or support staff member (including health or medical staff and law enforcement unit personnel); a person serving on the school board; a person or company with whom the district has contracted to perform a special task (such as an attorney, auditor, medical consultant, or therapist); or a parent of student serving on an official committee, such as a disciplinary or grievance committee, or assisting another school official in performing his or her tasks. A school official has a legitimate educational interest if the official needs to review an education record in order to fulfill his or her professional responsibility. Upon request, the District discloses education records without consent to officials of another school district in which a student seeks or intends to enroll.
- The right to file a complaint with the U.S. Department of Education concerning alleged failures by the District to comply with the requirements of FERPA. The Office that administers FERPA is: Family Policy Compliance Office, U.S. Department of Education, 600 Independence Avenue SW, Washington, DC 20202-5605.
In addition to the rights outlined above, FERPA also gives the school District the option of designating certain categories of student information as “directory information.” Directory information includes a student’s name, address, telephone number, date and place of birth, major course of study, participation in school activities or sports, weight and height if a member of an athletic team; dates of attendance, degrees and awards received, most recent school attended, class schedule, photograph, e-mail address, and class roster. You may object to the release of any or all of this “directory information”; however, you must do so in writing by September 8, 2023.
If we do not receive a written objection, we will be authorized to release this information without your consent. For your convenience, you may note your objections to the release of directory information on the form provided and return it to the Building Principal.
Release of Directory Information Under FERPA
Unless objection to any of the specific items in the following “Directory Information” is submitted in writing by parents, legal guardians or those students over the age of 18 years, the West Valley Central School District herewith gives notice of intention to provide, release or publish in the district or building newsletters; school or student newspapers; school website or other district approved social media or social networking sites; yearbooks or other publications; daily or weekly newspapers; athletic programs; musical, theatrical or award programs; news releases and school-related organizations any or all of the following directory information pertaining to students as may be appropriate under the circumstances:
- the student’s name
- student’s photograph
- parent’s name
- major field of study
- participation in officially recognized activities and sports
- weight and height of members of athletic teams
- dates of attendance
- degrees and awards received and the most recent previous educational agency or institution attended by the student
Under the regulations of this act, parents, guardians or students over the age of 18 who do not desire the release of any of the above directory information must make a specific request in writing to the Superintendent by September 8, 2023. Failure to make such request shall be deemed consent to release,provide or publish directory information (during the 2023-2024 school year).
Please Note: Although not considered directory information, student created work, video or audio recordings, or electronic images may be used without prior consent in order to publicize or promote a school district program. If you wish to refuse permission for the use of your student’s work, video or audio recordings, or electronic images in district publications, media releases or district website, you must notify the Building Principal in writing by September 8, 2023.
Student Privacy – Notification to Parents
The Board of Education recognizes that student privacy is an important concern of parents and the Board wishes to ensure that student privacy is protected pursuant to the Protection of Pupil Rights Amendment, as revised by the Elementary and Secondary Education Act. To that end, the Board has adopted a policy on student privacy. Pursuant to the Protection of Pupil Rights Amendment, as revised by the Elementary and Secondary Education Act, and the West Valley Central School District policy on student privacy, you have the right to opt your child out of the following activities:
- The collection, disclosure and use of personal information gathered from students for the purpose of marketing or selling that information. This does not apply to the collection, disclosure, or use of personal information collected from students for the exclusive purpose of developing, evaluating or providing educational products or services for, or to students, such as:
- College or other postsecondary education recruitment, or military recruitment;
- Book clubs, magazines and programs providing access to low cost literary products;
- Curriculum and instructional materials used in schools;
- Tests and assessments used to provide cognitive, evaluative, diagnostic, clinical, aptitude, or achievement information for students or to generate other statistically useful data for the purpose of securing such tests and assessments, and the subsequent analysis and public release of the aggregate data from such tests and assessments;
- Student recognition programs; and
- The sale by students of products or services to raise funds for school-related activities.
- The administration of any survey revealing information concerning one or more of the following:
- Political affiliations or beliefs of the student or the student’s parent;
- Mental or psychological problems of the student or the student’s family;
- Sexual behavior or attitudes;
- Illegal, anti-social, self-incriminating or demeaning behavior;
- Critical appraisals of other individuals with whom respondents have close family relationships;
- Legally recognized privileged or analogous relationships, such as those of lawyers, physicians and ministers;
- Religious practices, affiliations or beliefs of the student or the student’s parents; or
- Income (other than that required by law to determine eligibility for participation in a program or for receiving financial assistance under such program.)
- The administration of any non-emergency, invasive physical examination or screening that is required as a condition of attendance, administered by the school, not necessary to protect the immediate health or safety of the student or other students and not otherwise permitted or required by state law. The term “invasive physical examination” means any medical examination that involves the exposure of private body parts, or any act during such examination that includes incision, insertion, or injecting into the body, but does not include a hearing, vision or scoliosis screening. It does not apply to any physical examination or screening required or permitted under State law, including those permitted without parental notification.